Sunday, May 11, 2014

SUI for PeopleSoft Campus Solutions Part 3

In previous post I described how to install the Fusion Middleware components and the SUI application.
In this post I will describe the steps you have to take to implement Authentication & Authorisation.

In order to use the SUI application we need to configure Authentication and Authorisation. Before we start let me give you an overview of the connectivity we need to accomplish.

When users log in to the SUI application they need to be authenticated against the PeopleSoft system. This will be accomplished by authentication provider jar files that we will deploy in Weblogic that is running SUI and add this provider to the Weblogic configuration. After users log in, they will need to be authorised, to use certain parts of the SUI application. ADF has a built in security model that allows you to provide access to certain taskflows (pages) using Application Roles. Within Weblogic we can create Groups, that we can assign to these Application Roles. Groups in Weblogic map to Roles in PeopleSoft. Finally the taskflows in the SUI application retrieve and send data to/from PeopleSoft using webservices that are authorised by Permission lists. These webservice calls are in its turn secured by SAML.

When we look at how the SUI application is shipped, we can mock up the following matrix. For example, if you wish to provide students access to all the taskflows, you could create a Role in PeopleSoft and a group in Weblogic with the same like, CS - Student and assign this Role to students in PeopleSoft. If you wish to apply a more granular security model you could use one of the other predefined Groups/Roles or even create your own security model.


Creating groups in Weblogic is done by selecting Security Realms from the left pane and then selecting myrealm from the list.

The Groups can be mapped to Application Roles using Enterprise Manager.


In folder $PS_HOME\setup\oracle\adf\sce\CS_SCE\deploy\dependencies\Security you will find two jar files.
Copy CsPsftAuthenticator.jar to $MW_HOME\wlserver10.3\server\lib\mbeantypes, in my case this is C:\apps\SUI\oracle\Middleware\wlserver_10.3\server\lib\mbeantypes.
Copy CsPsftAuth.jar in $MW_HOME\wlserver_10.3\server\lib.
Now open file  $MW_HOME\wlserver_10.3\common\bin\commEnv.cmd and add the last line like below:

@rem set up WebLogic Server's class path and config tools classpath
set WEBLOGIC_CLASSPATH=%JAVA_HOME%\lib\tools.jar;%WL_HOME%\server\lib\weblogic_sp.jar;%WL_HOME%\server\lib\weblogic.jar;%FEATURES_DIR%\weblogic.server.modules_10.3.6.0.jar;%WL_HOME%\server\lib\webservices.jar;%ANT_HOME%/lib/ant-all.jar;%ANT_CONTRIB%/lib/ant-contrib.jar
set FMWCONFIG_CLASSPATH=%JAVA_HOME%\lib\tools.jar;%BEA_HOME%\utils\config\10.3\config-launch.jar;%WL_HOME%\server\lib\weblogic_sp.jar;%WL_HOME%\server\lib\weblogic.jar;%FEATURES_DIR%\weblogic.server.modules_10.3.6.0.jar;%WL_HOME%\server\lib\webservices.jar;%ANT_HOME%/lib/ant-all.jar;%ANT_CONTRIB%/lib/ant-contrib.jar

Restart the Weblogic server after the change.

Log in the Weblogic Console and the custom authentication provider. 

Set PeopleSoft specific settings.
Mapped Roles: All roles you wish to use
End Point Url: http://<server:port>/PSIGW/PeopleSoftServiceListeningConnector

Also make sure to set the Control Flag of the DefaultAuthenticator to SUFFICIENT.

Activate PeopleSoft Web Services

So far we have enabled authentication and authorisation on the Weblogic and ADF side. The taskflows use PeopleSoft web services to retrieve and send data to and from PeopleSoft.
Below table states alle the web services and operation that you will need to activate, keeping in consideration the granularity of the security model you want to enforce.

Application SectionWeb ServiceService Operation

The following service operations also need to be enabled.

Web ServiceService Operation

Before you activate the web services, you need to create a new Node that will enforce SAML in the routing.

When activating service operations, add a new routing with this node as the sender node to the default local node.

Add the Service Operations to the desired permission list, again keeping in consideration the granularity of the security model you wish to enforce.

Install OWSM using RCU

To enforce SAML in Weblogic we need to install OWSM. OWSM is installed automatically with Weblogic but not turned on. Before extending the domain with OWSM we need to create the required database schema OWSM uses. For this you need to use RCU. You can use the PeopleSoft database to create this new schema (if you are running an Oracle DB)

Start the RCU installer from the installer folder:

Extend Domain with OWSM

Start the Weblogic configuration wizard and chose to extend the domain.

Provide the credentials of the OWSM schema you provide during the RCU installer.

Create certificates

In order for SAML to work properly we need to import certificates in default-keystore.jks file that is located in the directory $DOMAIN_HOME/config/fmwconfig.
You can either import a keypair you already have or generate a self signed certificate (in Production environments never user self signed certificates!)
On my sandbox environments, I will generate and export a self signed certificate and use this.

keytool -genkey -alias sceserver -keyalg RSA -dname "cn=sceserver, ou=cs, o=oracle" -keypass welcome1 -keystore default-keystore.jks -storepass welcome1

keytool -list -keystore default-keystore.jks
Enter keystore password:  welcome1

Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

sceserver, Apr 6, 2014, keyEntry,
Certificate fingerprint (MD5): C6:2D:E7:BF:FD:9C:AB:ED:4B:11:1A:C6:6F:A9:19:16

keytool -export -v -alias sceserver -keystore default-keystore.jks -storepass welcome1 -rfc -file sceserver.cer
Certificate stored in file <sceserver.cer>

After the certificate is exported the credentials in the Oracle WebLogic Server domain credential store will have to be updated with the passwords used for the keystore. For this we need to use the wlst tool. Execute the following commands:


Initializing WebLogic Scripting Tool (WLST) ...

Welcome to WebLogic Server Administration Scripting Shell

Type help() for help on available commands

wls:/offline> connect('weblogic','<your_weblogic_pswd>','<server>:7001')
Connecting to t3:// with userid weblogic ...
Successfully connected to Admin Server 'AdminServer' that belongs to domain 'sui

Warning: An insecure protocol was used to connect to the
server. To ensure on-the-wire security, the SSL port or
Admin port should be used instead.

wls:/sui_domain/serverConfig> createCred(map="", key="sign-csf-key", user="sceserver", password="welcome1", desc="credentials of main user")
Location changed to domainRuntime tree. This is a read-only tree with DomainMBea
n as the root.
For more help, use help(domainRuntime)

wls:/sui_domain/serverConfig> createCred(map="", key="enc-csf-key", user="sceserver", password="welcome1", desc="credentials of key alias")
Already in Domain Runtime Tree

wls:/sui_domain/serverConfig> createCred(map="", key="keystore-csf-key",user="n/a", password="welcome1", desc="description of credentials")
Already in Domain Runtime Tree

Import certificate in PeopleSoft Integration Broker

We will need to import the public certificate sceserver.cer in PeopleSoft that is to be found in path C:\apps\SUI\oracle\Middleware\user_projects\domains\sui_domain\config\fmwconfig

Execute the following command:

$PS_HOME\jre\bin\keytool -import -alias sceserver
 -file C:\apps\SUI\oracle\Middleware\user_projects\domains\sui_domain\config\fmw
config\sceserver.cer -keystore C:\apps\psoft\config\webserv\peoplesoft\piaconfig
\keystore\pskey -storepass password
Owner: CN=sceserver, OU=cs, O=oracle
Issuer: CN=sceserver, OU=cs, O=oracle
Serial number: 536763ba
Valid from: Mon May 05 12:11:06 CEST 2014 until: Sun Aug 03 12:11:06 CEST 2014
Certificate fingerprints:
         MD5:  77:6B:26:2A:9E:70:D0:5C:B0:0A:D5:07:B1:CC:74:C2
         SHA1: D8:C9:9F:72:D7:A5:33:A2:99:AC:05:08:9E:E1:96:1D:5D:3B:06:91
         Signature algorithm name: MD5withRSA
         Version: 1
Trust this certificate? [no]:  yes
Certificate was added to keystore

Open file $PIA_HOME\webserv\<DOMAIN>\peoplesoft\applications\PSIGW.war\WEBINF\
classes\ to update the credentials like shown below. Use PSCIPHER to encrypt the password.\apps\psoft\config\webserv\peoplesoft\piaconfig\keystore\pskey{V1.1}7m4OtVwXFNyLc1j6pZG69Q==

Import certificate in PeopleSoft Application Server

Open the file sceserver.cer in notepad and copy the entire content.
Navigate to PeopleTools > Security > Security Objects > Digital Certificates and add a new Root Certificate and new remote entry specifying exactly the same content.

Configure SAML Inbound Setup

Navigate to PeopleTools > Security > SAML Administration Setup > SAML Inbound Setup to configure SAML for individual users (or use the automated proces for setup for multiple users) and enter the following settings:

You are now ready to start using SUI for Campus!

Start the application by navigating to http://<server>:7001/CsSce

Some Tips

Although the installation does not mention it, make sure that the node HRMS has its Portal tab configured properly, otherwise the related links in SUI will not work.

When testing the SUI application you could encounter errors. These errors are shown in the SUI application, but this does not have to mean that the SUI application is the cause of the error. In order to find the error set trace settings on application server, integration logging, Enterprise Manager.

You can add additional logging from the web service logic by changing the settings in the following table.

You may notice that you have a missing branding image in the left corner and a missing background image. When you open the page source, you will notice that these point to and

When you search the server, you will be able to find these images, but off course your application is not running on this url and initially not on port 80. In SUI for Fusion Application the branding image and background can be set using a UI settings, but this seem to be missing in SUI for Campus. If someone knows how to fix this, please comment on this post.

In my sandbox I can easily fake my host to route to by adding this entry in my hosts file and creating a folder FuseTmp in PIA, since this is already running on port 80, but this off course not the proper way to work.

No comments:

Post a Comment